Remix.run Logo
Intralexical a day ago

Would capabilities enable granting access to specific programs and not just users? Like using AppArmor profiles. So QEMU, gVisor, Docker etc. can still use KVM for unprivileged users, but malware wouldn't be able to access it directly.

codedokode 18 hours ago | parent [-]

That's the problem with many Linux distributions - their developers assume that you trust programs you run and if you run malware it is your fault. But you cannot trust commercial and closed-source programs so Linux is not ready for using them. Instead of solving the problem they simply make it user's responsibility.

So as a responsible user I am slowly writing my own sandboxes, struggling with lack of documentation and designing workarounds.